Diagram #1 – An OT Security Challenge: Industrial Components Exposed to EncryptionFrom what we’ve seen, ransomware generally encrypts Windows and Linux machines. We still haven’t seen any PLCs being encrypted. However, many industrial services are run on Windows / Linux machines – such as Historians, HMIs, Storage, Application Servers, Management Portals and OPC Client/Servers. In many cases, ransomware operations would not stop in the IT network, and will also attack OT segments. More encrypted devices means a higher monetary ransom demand from the attackers. Organizations must be able to monitor & detect threats across the IT/OT boundary in order to effectively identify risks before reaching process-critical end-points.
Diagram #2 – Ransomware Prevention: How You Can Prevent Ransomware Attacks On Your Industrial NetworksSome of the tools and techniques that ransomware operators are using are on the same level that nation-state threat actors are using on targeted espionage campaigns.
Diagram #3 – Tactics, Techniques & Procedures most commonly used in Ransomware AttacksWe recommend that organizations practice these common security procedures to minimize their risk of ransomware infection on each step of the kill chain: Initial Access:
- If possible, replace RDP with a remote access solution that requires two-factor authentication, many VPNs now support that. This will require attackers to be verified by, for example, a code sent via SMS.
- If you choose to still use RDP, make sure its Windows Update is enabled and is working.
- Email Phishing
- Educate the organization’s employees about phishing attacks. Employees should be suspicious of emails that don’t seem right and not click on suspicious links.
- Install an Anti-Phishing solution.
- Software vulnerabilities of internet-facing servers
- Scan your organization’s IP range from outside the network. Verify that all exposed IP/ports are what you expect them to be.
- Make sure that automatic security updates are enabled for your exposed services. If one of your services (such as web servers, for example) does not have that feature, consider changing it to a similar one that has this feature.
- Firewalls & Windows Update – Enable firewalls on all of your workstations and servers. Make sure that Windows Update is enabled. This will ensure that your machines will be patched for the latest vulnerabilities and will also be less prone to lateral movement techniques. Microsoft constantly updates their security policies and their firewall rules. One good example is that they disabled the remote creation of processes using the Task Scheduler ‘at’ command.
- Endpoint Protection
Endpoint protection works. Beyond blocking classic hackers’ techniques, some also have defenses against ransomware and will protect your assets from encryption.
- Network Segmentation
Ideally, you would want to minimize the risk of your industrial network being impacted when suffering a ransomware attack.
- To the possible extent, separate the IT network from the OT network segment. Monitor and limit the access between the segments.
- Use different management servers to the OT and IT networks (Windows Domains, etc). By doing so, compromising the IT domain will not compromise the OT domain.
- Constant Network Monitoring A constant network monitoring platform (we happen to know a really good one), will help you identify threats while analyzing network traffic and will help you see the bigger picture of what’s happening in your network.
- Data Exfiltration Monitor your network for unusual outbound traffic. Everyday user activity should not generate uplink activity higher than about 200MB/daily per user.
- Asset Management
- Network Maps
- Traffic Analyzers
- Security exploits being sent across the network.
- Lateral movements attempts using latest techniques.
- Network scanning and network reconnaissance.
Additional credits: Yossi Reuven and Michael Yehoshua have also contributed to this comprehensive guide.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.